MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79cf97a156358a7dfba188f7b6d516e62279a11fb15b828bbd676b15633c008e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79cf97a156358a7dfba188f7b6d516e62279a11fb15b828bbd676b15633c008e
SHA3-384 hash: af01bd4d55a8f137310fa98e150173032b5c6dba935bd57172573825cedfc6be64bd81c4de4a97212cc9e163a5b19637
SHA1 hash: b7d03ad2e90ea8f81ba755c6e5c551e2686c679c
MD5 hash: a7f1b43bb75327181bf5535f6eab329d
humanhash: berlin-queen-apart-lake
File name:file
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:9'643'376 bytes
First seen:2024-08-09 20:58:44 UTC
Last seen:2024-08-10 11:45:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 196608:yt2OL8IgYaEYShQuM4PaZaCFO5lThlQcqsFDFP/4Qbp/xHKd3fc2obL:ycOL85ShLzPdcqVqsFJHXB9K3fcTbL
TLSH T176A6331A95D80C6ED416D2BEC34026D39E9232415297E3C27E9D8BFE1FB29DB46CC385
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 30b2b2f069f0d48a (6 x AgentTesla, 2 x DarkTortilla, 2 x PureLogsStealer)
Reporter Bitsight
Tags:DarkTortilla exe


Avatar
Bitsight
url: https://helleaa.com/temp/VLC3.exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
361
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://github.com/evan9908/Loader-maker-/blob/main/Setup.zip
Verdict:
No threats detected
Analysis date:
2024-08-09 19:32:57 UTC
Tags:
github
Link:
https://app.any.run/tasks/66a4a825-3c67-44d9-b16f-f2e95cda4b1b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.InjectorX-gen.508.22828.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b6831ab35234d5cc65c3c8
Tags:
Encryption Network Static Stealth Kryptik
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/66b6831ae565ee98cf3e22ab/reports/ccfb3858-90a8-4e3e-b95e-522a770922cf/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/79cf97a156358a7dfba188f7b6d516e62279a11fb15b828bbd676b15633c008e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d096ec26-eb2d-43c8-9cb4-2c9b94737cd0
Result
Threat name:
DarkTortilla
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1490825
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Creates HTML files with .exe extension (expired dropper behavior)
Drops script or batch files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1490825 Sample: file.exe Startdate: 09/08/2024 Architecture: WINDOWS Score: 100 46 pastebin.com 2->46 48 yip.su 2->48 50 iplogger.com 2->50 52 Antivirus detection for URL or domain 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for submitted file 2->56 60 7 other signatures 2->60 7 file.exe 3 2->7         started        11 cmd.exe 1 2->11         started        13 cmd.exe 1 2->13         started        15 6 other processes 2->15 signatures3 58 Connects to a pastebin service (likely for C&C) 46->58 process4 file5 38 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 7->38 dropped 66 Writes to foreign memory regions 7->66 68 Allocates memory in foreign processes 7->68 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->70 72 Injects a PE file into a foreign processes 7->72 17 InstallUtil.exe 15 9 7->17         started        22 conhost.exe 11->22         started        24 conhost.exe 13->24         started        26 conhost.exe 15->26         started        28 conhost.exe 15->28         started        30 conhost.exe 15->30         started        32 3 other processes 15->32 signatures6 process7 dnsIp8 40 pastebin.com 172.67.19.24, 443, 49721, 49724 CLOUDFLARENETUS United States 17->40 42 iplogger.com 172.67.188.178, 443, 49723, 49735 CLOUDFLARENETUS United States 17->42 44 yip.su 188.114.96.3, 443, 49722, 49725 CLOUDFLARENETUS European Union 17->44 34 C:\Users\...\Q266LY31DJuBkUgU7rnVY9MU.bat, ASCII 17->34 dropped 36 C:\Users\...367dCpczI2KMQNpAzS7xasjkw.bat, ASCII 17->36 dropped 62 Drops script or batch files to the startup folder 17->62 64 Creates HTML files with .exe extension (expired dropper behavior) 17->64 file9 signatures10
Score:
65%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/79cf97a156358a7dfba188f7b6d516e62279a11fb15b828bbd676b15633c008e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79cf97a156358a7dfba188f7b6d516e62279a11fb15b828bbd676b15633c008e/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-08-09 20:59:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=phhzpikwgwfh365brd33nviw4yrhtii7wfnyfc55m5vrkyz4acha._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/240809-zsp6wssfrg/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/018c68fa-6454-4fcd-b38a-2012c552a088
Unpacked files
SH256 hash:
56aaa2b9e53d69dd75c8d1247220d8ea97b1b7705796b2e2ddff34c7eea8adee
MD5 hash:
50f28d178452b2db4e1f466904e55c78
SHA1 hash:
d9a3246a570715d756a6c653b6818afb99ae39ec
Link:
https://www.unpac.me/results/3db4eea9-ed24-4b5e-9f27-82d9aff1e8cd/
SH256 hash:
0781f74db6c9ff7aa0c1e76dd0ebc4a9575fba6caca9aac9fb0131c5a73c84be
MD5 hash:
2c064163cda2f093cf6d20302481dff7
SHA1 hash:
cf948b10d999c369ef51972f86278a4f536d400d
Link:
https://www.unpac.me/results/3db4eea9-ed24-4b5e-9f27-82d9aff1e8cd/
SH256 hash:
90caafea3e9a3abf21b509a324c9875f10e9dd1ad841298673ae5879f0da9f3d
MD5 hash:
1cfa084fea3d2f7a0e35107d43f0d8b0
SHA1 hash:
67deda860f91d2487891a63bbbc9684409e8be63
Link:
https://www.unpac.me/results/3db4eea9-ed24-4b5e-9f27-82d9aff1e8cd/
SH256 hash:
20f0619336fb27994a740fb37794d83d027646bbf0d826d8b3542f042412a908
MD5 hash:
d334fdbe7080a9e36d94001903199491
SHA1 hash:
5d10fa7e8de420744a3ad3358428f16e796c3c1a
Link:
https://www.unpac.me/results/3db4eea9-ed24-4b5e-9f27-82d9aff1e8cd/
SH256 hash:
79cf97a156358a7dfba188f7b6d516e62279a11fb15b828bbd676b15633c008e
MD5 hash:
a7f1b43bb75327181bf5535f6eab329d
SHA1 hash:
b7d03ad2e90ea8f81ba755c6e5c551e2686c679c
Link:
https://www.unpac.me/results/3db4eea9-ed24-4b5e-9f27-82d9aff1e8cd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/79cf97a15635/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79cf97a156358a7dfba188f7b6d516e62279a11fb15b828bbd676b15633c008e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkTortilla

Executable exe 79cf97a156358a7dfba188f7b6d516e62279a11fb15b828bbd676b15633c008e

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3098259/
  
URLhaus
https://urlhaus.abuse.ch/url/3099622/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments